Azure-related events in a separate Log Analytics workspaces

Copper Contributor

Hi all,

 

I have question about collecting Azure-related events (Entra ID, Office365, Microsoft Defender and etc.) in a separate Log Analytics workspaces. 
Architecture:
- One Azure tenant 
- Four subscriptions
- Log analytics workspace in every subscription
- Microsoft Sentinel enabled on every Log analytics workspace
Sentinel_architecture.jpg

My question is: what is the best practice or the best way to collect specific Entra ID events (e.g., events related to accounts used by the finance department) in a specific Log Analytics Workspace (LAW) dedicated to the finance department? Also, how can I collect other events for Office 365 and Microsoft Defender (related to the finance department) and store in (LAW) dedicated to the finance department?

I want to store those events in the default tables for Entra ID, Office 365, and Defender within the LAW. I do not want to store the filtered data in custom tables within the LAWs.

1 Reply

@zelba0991 

Hi there,

 

You are going to have problems with this approach. The schemas for tables in Log Analytics are controlled by Microsoft and the tables you are referring to all belong to Microsoft solutions. You don't have the ability to directly write to them with AMA. I wrote a script a few months back to test what can be written to directly to using AMA and could only find 40 tables. Anything else has to be a Custom Log table. Writeable Sentinel tables . This rules out the ability of using a script to take data from one workspace and duplicate it filtered to downstream workspaces.

 

Most Log Analytics tables do support transformations Tables that support transformations in Azure Monitor Logs , so you could enable log ingestion from the Microsoft services on all three workspaces and use KQL to filer away all records you don't want (i.e. the other departments) but that's going to be a really costly solution with a massive overhead trying to support it. Don't forget that there is a floor with charging and AMA transformations set at 50% of the data ingest cost that you will pay no matter how much you filter away that data.

 

I presume that your solution is to let the different departments query and review their data without accessing the data of other departments?  If this is an absolute need, and you have funding, have a look at Azure Data Explorer with Event Hubs. all the products you mention support writing to Event Hubs. You can use the same schemas used by Log Analytics for the products you mention Creating ADX table Schemas for Defender, Entra and Microsoft Sentinel and you can create four separate databases within the cluster using these schemas and permission user access to each to staff members of the different departments.

 

Laurie_Rhodes_0-1728166252812.png

 

ADX is a spectacular product for Security - its compression rate is nuts.  I have some tables that are stored at 3% of the original data size.  All data is accessible with KQL and security staff can directly hunt from Sentinel if you wanted.

 

Laurie_Rhodes_1-1728166488384.png

 

The caveat is that setting up ADX is a bit of a learning curve, and the cost of Event Hubs has to be considered with the cost of running a cluster but for most organisations of any size you'll probably find it works out cheaper than Log Analytics and you can store the data for as long as you want with almost no cost impact.